VMWare gets jacked...

Today, Virtualization and cloud computing is becoming extremely popular. This article on darkreading.com shows a quote from Eric Chiu, founder and president of a virtualization security firm by the name of HyTrust, stating that “Virtualization is mainstream and over 50 percent of enterprise datacenters are now virtualized” because of this growing usage of virtual machines, it's a growing target for attack from malicious users.

Theft of a portion of VMWare's ESX Hypervisor product is a big deal. VMWare apparently did not offer any clues to how or when the breach occurred, but a hacker has taken credit for the theft, and posted one file worth of source code for public viewing. VMWare officials, the article explains, say that the code is legitimate, but from inspection of the code and the developer comments, they say it dates back to 2003-2004.

VMWare claims that customers should not be concerned about any risks brought about by this theft and broadcast of the code. They stand firm with their philosophy of not using security through obfuscation. Which is to say, keeping source code publicly shared among certain industry partners in order to increase the number of eyes and brains working on making the code as secure as possible.

"VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today. We take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate. We will continue to provide updates to the VMware community if and when additional information is available."

I believe, and have said it many times before, that this is crucial to circumventing problems that present themselves when breaches do happen. This similar situation happened with Symantec's PC Anywhere suite, and they suffered severe public image damage, customer loss, market share damage, and brand loyalty loss due to the vulnerabilities that ensued after a similar breech and broadcast of some of their source code.  Symantec operated on a security through obfuscation, and treated source code as top secret, assuming that if you can't see the code, you can't take advantage of the not-so-ideal coding practices that cause vulnerabilities.

The article explains, and I agree, that it just goes to show you that even the most prepared companies, with balls-to-the-wall security and non disclosure implementations, can still be victim to this type of breach in security. Whether it was due to a great-wall attack, middleman, or simply a social engineering hijack, we do not know, but does it really matter?

Furthermore, this announcement by VMWare bolsters the argument for open source products. A good idea in this day and age of software, in my opinion, is to get as many brains to look at your product's code to increase the angle of perspective, and increase chances of finding flaws and vulnerabilities before they become a real threat to customers.